What GAO* Found
Since the 2017 designation of election infrastructure as critical infrastructure, the Department of Homeland Security (DHS), through its Cybersecurity and Infrastructure Security Agency (CISA), has assisted state and local election officials in securing election infrastructure through regional support and assistance, education, and information sharing. Such efforts help state and local election officials protect various election assets from threats (see figure).
Figure: Examples of Election Assets Subject to Physical or Cyber Threats
In August 2019, the CISA Director identified election security as one of the agency's top five operational priorities. CISA security advisors, who are located throughout the country, consult with state and local election officials and identify voluntary, no cost services that CISA can provide. According to CISA, as of November 2019, 24 cybersecurity advisors and 100 protective security advisors perform and coordinate cyber and physical security assessments for the 16 critical infrastructure sectors, including the Election Infrastructure Subsector. Technical teams at CISA headquarters generally provide the services, once requested.
To further assist state and local election officials, CISA conducted two exercises simulating real-world events and risks facing election infrastructure in August 2018 and June 2019. According to CISA, the 2019 exercise included 47 states and the District of Columbia. In addition, CISA has funded the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC). According to CISA officials, the EI-ISAC is the primary mechanism for exchanging information about threats and vulnerabilities throughout the election communit`y. The EI-ISAC director reported that, as of November 2019, its members included 50 states, the District of Columbia, and 2,267 local election jurisdictions, an increase from 1,384 local jurisdictions that were members in 2018. As a result of its efforts, CISA has provided a variety of services to states and local election jurisdictions in the past 2 years (see table).
Table: Number of Selected Cybersecurity and Infrastructure Security Agency Services Provided to States and Local Election Jurisdictions in 2018 and 2019, as of November 6, 2019
Service |
States |
Local election jurisdictions |
---|---|---|
Continuous scanning of internet-accessible systems for known vulnerabilities |
40 |
161 |
Assessments of potential network security vulnerabilities |
26 |
20 |
Remote testing of externally accessible systems for potential vulnerabilities |
4 |
44 |
Assessments of states' and local jurisdictions' susceptibility to malicious emails |
10 |
5 |
Educational posters on cybersecurity |
19 |
1,202 |
Source: Cybersecurity and Infrastructure Security Agency. | GAO-20-267
*The U.S. Government Accountability Office (GAO) is an independent, nonpartisan agency that works for Congress. Often called the "congressional watchdog," GAO examines how taxpayer dollars are spent and provides Congress and federal agencies with objective, reliable information to help the government save money and work more efficiently.